Re: SELinux vs. logwatch and virsh

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On 08/14/2014 11:02 AM, Bill Gee wrote:
> Hello everyone -
>
> I am stumped ...  Does anyone have suggestions on how to proceed?  Is there a way 
> to get what I want?
>
> The environment:  CentOS 7.0 with latest patches. 
>
> The goal:  I want logwatch to include a report on the status of kvm virtual computers.
>
> The problem:  When run from anacron, SELinux denies permission for the virsh utility.  
> Here is a portion of the logwatch output:
>
> --------------------- KVM libvirt status report Begin ------------------------ 
>
>  Date Range: yesterday
>  /etc/logwatch/scripts/services/libvirt: line 15: /usr/bin/virsh: Permission denied
>  
> ---------------------- KVM libvirt status report End ------------------------- 
>
> If I "run-parts  /etc/cron.daily" from a root console, it all works.  Same if I run "logwatch" 
> from a root console.
>
> I set SELinux to permissive and that allows virsh to run.  Therefore I know it is 
> something to do with SELinux.
>
> The logwatch script is:
>
> 	#Lots of comments
> 	/usr/bin/virsh list --all
>
> I see the selinux security context of virsh is
>
> 	system_u:object_r:virsh_exec_t:s0
>
> while logwatch.pl runs as 
>
> 	system_u:object_r:logwatch_exec_t:s0
>
> As I understand it, selinux does not permit having multiple type settings for a file.  Any 
> file can have exactly one type setting.  
>
> I ran this command hoping it would add another type to the virsh program.
>
> 	semanage fcontext -a -t logwatch_exec_t /usr/bin/virsh
>
> 	semanage fcontext --list /usr/bin/virsh | grep virsh
> /usr/bin/virsh                                     all files         
> system_u:object_r:logwatch_exec_t:s0 
> /usr/bin/virsh                                     regular file      system_u:object_r:virsh_exec_t:s0 
> /usr/sbin/xl                                       regular file      system_u:object_r:virsh_exec_t:s0 
> /usr/sbin/xm                                       regular file      system_u:object_r:virsh_exec_t:s0 
>
> Semanage did add the new type, but that did not fix the problem.  Virsh still gets 
> "permission denied" when logwatch tries to run it.
>
> Thanks - Bill Gee
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
What AVC messages are you seeing?

ausearch -m avc -ts recent.
I would put the machine in permissive mode, run your tests and then add
the allow rules using

audit2allow -M mylogwatch


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux